Healthcare data breaches have increased considerably since 2010, new research shows. But the entity that is targeted plays a major role in the magnitude of a given breach.
The majority of breaches in healthcare over the last seven years—70%—have involved providers. By contrast, only 13% have involved health plans, according to a new study in the Journal of the American Medical Association (JAMA). But while those provider breaches exposed 37.1 million records, plan breaches exposed 110.4 million—nearly three times that number.
All told, healthcare data breaches compromised 176.4 million records between 2010 and 2017.
“Three breaches account for the majority of records breached,” noted Massachusetts General Hospital’s Tom McCoy, M.D., who co-authored the study. “There’s this class of exceptionally large breaches that are quite consequential.”
Three insurers—Anthem, Premera Blue Cross and Excellus BlueCross BlueShield—reported breaches in 2015, accounting for more than 100 million records. Anthem ultimately agreed to a $115 million settlement. Premera and Excellus are still working their way through the court system.
The most commonly targeted media locations evolved from laptops and film or paper records in 2010 to network servers and emails in 2017.
Moreover, most breached records were stolen in 2010. Hardly any breaches were the result of hackings or IT incidents that year. But hackings shot up in frequency, ultimately becoming the most common breach type in 2017.
Electronic health records (EHRs) are a double-edged sword. McCoy said EHRs “present a really important means of transformational discovery,” but the article notes increased use of the technology may present more opportunities for data breaches.
As the healthcare industry continues to use digital patient data for good, it must also be mindful of the growing cybersecurity risks, McCoy added.
“In some ways, that’s the heart of medicine—creating risk and benefit,” he reflected.
“The motivation for this study was that I use health records data in my research,” he added. “I wanted to better understand the risk that such data might pose to my patients.”
But what can patients do to protect themselves?
“Patients have an expectation of confidentiality," McCoy said. "These breaches are a preventable, ideally, failure to meet that patient expectation. I think patients can have, hold, and vocalize that expectation as a way of guiding how plans, providers, business associates, etc. prioritize scarce resources,”